Control Egress Traffic

By default, Istio-enabled services are unable to access URLs outside of the cluster because iptables is used in the pod to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations.

This task describes how to configure Istio to expose external services to Istio-enabled clients. You’ll learn how to enable access to external services using egress rules, or alternatively, to simply bypass the Istio proxy for a specific range of IPs.

Make a request to the external HTTPS service. External services of type HTTPS must be accessed over HTTP with the port specified in the request:

curl http://www.google.com:443

Setting route rules on an external service

Similar to inter-cluster requests, Istio routing rules can also be set for external services that are accessed using egress rules. To illustrate we will use istioctl to set a timeout rule on calls to the httpbin.org service.

From inside the pod being used as the test source, invoke the /delay endpoint of the httpbin.org external service:

This time a 504 (Gateway Timeout) appears after 3 seconds. Although httpbin.org was waiting 5 seconds, Istio cut off the request at 3 seconds.

Calling external services directly

The Istio egress rules currently only supports HTTP/HTTPS requests. If you want to access services with other protocols (e.g., mongodb://host/database), or if you want to completely bypass Istio for a specific IP range, you will need to configure the source service’s Envoy sidecar to prevent it from intercepting the external requests. This can be done using the --includeIPRanges option of istioctl kube-inject when starting the service.

The simplest way to use the --includeIPRanges option is to pass it the IP range(s) used for internal cluster services, thereby excluding external IPs from being redirected to the sidecar proxy. The values used for internal IP range(s), however, depends on where your cluster is running. For example, with Minikube the range is 10.0.0.1/24, so you would start the sleep service like this:

After starting your service this way, the Istio sidecar will only intercept and manage internal requests within the cluster. Any external request will simply bypass the sidecar and go straight to its intended destination.

Understanding what happened

In this task we looked at two ways to call external services from within an Istio cluster:

Using an egress rule (recommended)

Configuring the Istio sidecar to exclude external IPs from its remapped IP table

The first approach (egress rule) currently only supports HTTP(S) requests, but allows you to use all of the same Istio service mesh features for calls to services within or outside of the cluster. We demonstrated this by setting a timeout rule for calls to an external service.

The second approach bypasses the Istio sidecar proxy, giving your services direct access to any external URL. However, configuring the proxy this way does require cloud provider specific knowledge and configuration.

Cleanup

Egress Rules and Access Control

Note that Istio Egress Rules are not a security feature. They enable access to external (out of the service mesh) services. It is up to the user to deploy appropriate security mechanisms such as firewalls to prevent unauthorized access to the external services. We are working on adding access control support for the external services.